Securing The Digital Workplace

Transcription

ClearPassEcosystemTomas MuliuolisHPE ArubaBaltics lead

2

Changes in the market createparadigm shifts3

Today’s New Behavior and ThreatsGenMobile Access from anywhere?BYOD Trusted or untrusted?Open Networks Stay away or safe?Bad Apps and Hackers How do you keep up?4

Ponemon 2015 Results5

Why ClearPassHow to start to build solution?Align to single security vendor strategy?Ask from colleagues from industry?Build own strategy based on best guess?Search for different solutions in web?Align to regulations and compliancy?Ask expert?Just leave as it is?6

Time for a New Defense StrategyPerimeter DefenseMobility aysPhysicalAccess Policy ManagementIDS/IPS/AVNetwork InfrastructurePolicy needed for central point of control7

ClearPass Core TWORK OREProfilerAD/LDAPAAA/RADIUSEmployeeUSERSNACCert. AuthorityContractorOnboardingClearPassSQLPolicy – Visibility- WorkflowTime/DayHeadlessDevicesGuestLocationDevice RegistrationEmployeeBYODDevice Type/HealthUser/RoleCONTEXT8

ClearPass Exchange – Partner IntegrationIntegration catalogcommunity.arubanetworks.com9

Eco system is key for secure infrastructureClearPassExchangeOver 120 different partners10

ClearPass Exchange Continues to GrowGranulartraffic controlwith user andNext-GenPerimeter DefenseMDM / EMMNetworkcontrols usingreal-timedevice datadevice dataVisibility intolocation andtime withgranularcontrolsVisibility andinteractivecontrolfeaturesSIEM, Automation, MFAInfrastructureNEW11

ClearPassWhy ClearPassMultivendor & 3rd Party integrationUser-experience driven applicationsScalability and cost advantagesBusiness oriented policy services– building blocks, roles, troubleshooting tools12

CIS TOP 20 Controls for Effective Cyber Defense V 6.01. Inventory of Authorized and Unauthorized Devices11. Secure Configurations for Network Devices2. Inventory of Authorized and Unauthorized12. Boundary DefenseSoftware13. Data Protection3. Secure Configurations for Hardware and Software14. Controlled Access Based on the Need to Know4. Continuous Vulnerability Assessment and15. Wireless Access ControlRemediation16. Account Monitoring and Control5. Controlled Use of Administrative Privileges17. Security Skills Assessment and Appropriate Training to Fill6. Maintenance, Monitoring, and Analysis of Audit LogsGaps7. Email and Web Browser Protections18. Application Software Security8. Malware Defenses19. Incident Response and Management9. Limitation and Control of Network Ports20. Penetration Tests and Red Team Exercises10. Data Recovery Capability13

14

ClearPassPolicy and Network Access ControlNews15

6.6.1 Release - Things of Note Only one Virtual Image instead of one for 500, 5K, 25K (Vmware and HyperV) Customer uses menu to select proper version during deployment Reports now include data on Social Login use You can see Hostname for devices that connect via OnGuard agents We’ve gone to a single REST-based API architecture Replacing TipsAPI (XML), Guest SOAP APIs, and Guest XML-RPC a-p/27329716

6.6.2 Enhancements - ProfilingNMAPDHCP CDP, LLDPTCP SNMP We’re adding NMAP Port-based Scanner On-demand or pre-scheduled scans Granular visibility for like devices Enhances our competitive advantageWMISSH OnGuardBeforeAfterMac OUITwo IoT EndpointsLighting SensorNMAP ScanAccurate Policy DecisionTemperature Sensor17

ClearPass Exchange is GrowingClearPassExchangearubanetworks.comOver 120 different partners18

Customer’s 3rd Party Solution Provides needed Security orService, But!Solution lacks neededwired/wireless featureIT lacksintegration expertiseThey have ClearPassbut no built-in integrationWhat do you do?19

ClearPass Extensions - New 3rd Party Integration OptionExtensions Repository Opens doors for new Exchange partnershipsArubaClearPass Device authorization, MFA, visitor registration,EMM/MDM and more Extends use of existing security, productivitysolutions Fast, no heavy lifting integration model.20

Extensions for Intel Security - McAfee ePOCompliant endpointsallowed accessDevices establish1 connectionsProductionResources2 Devices profiledClearPass checks ePO3 for endpoint statusCorporateowned and IoTMulti-vendorswitchingPolicy and NACBYOD andcorporate ownedePO managed endpointsMcAfee ePOClearPass enforcesMulti-vendorWLAN4 access privilegesQuarantineVlanNon compliantendpoints can besent to quarantine21

Security for IoT is a Concern, But!Devices have no802.1X capabilityNot all switchessupport 802.1XIT lacks time or802.1X expertiseWhat do you do?22

ClearPass OnConnect for Easy Wired NAC EnforcementArubaClearPassNo 802.1XSNMPEnforcementExisting 802.1Xwired/wireless supportPrinter VlanInfusion Pump Vlan Built-in device-centric security for all non-AAA ready customers Easy to configure on legacy multivendor switches Leverages ClearPass profiling for wired/wireless - IoT, laptops, mobilephones.23

Ingress Engine Third-party Threat Protection1 User connects anduploads threat2 NGFW/IPS sendsevent to ClearPass3 ClearPass isolatesclient** Firewall / IPSLAN/WLANAdaptive Trust Defense based on real-time threat detection Offers enhanced user experience as ClearPass can initiate usernotifications, help-desk tickets, and update third-party security solutions ** Device in step 2 can be MDM/EMM, SIEM, etc.24

Enhanced Profiling and Policy – Solving IoT IssuesOLD WAY:Wait for new Fingerprints tobe made and/or manuallyoverride devices 1:1NEW WAY:Create your ownFingerprints!25

Thank You

Extensions for Intel Security - McAfee ePO Corporate owned and IoT BYOD and corporate owned Multi-vendor switching Multi-vendor WLAN Policy and NAC ePO managed endpoints McAfee ePO Production Resources Quarantine . ** Device in step 2 can be MDM/EMM, SIEM, etc. 1 2 3. 25 NEW WAY: Create your own Fingerprints! OLD WAY: